这是我的Spring Boot 1.5.1 Actuator application.properties :
This is my Spring Boot 1.5.1 Actuator application.properties:
#Spring Boot Actuator management.contextPath: /actuator management.security.roles=R_0这是我的 WebSecurityConfig :
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Value("${logout.success.url}") private String logoutSuccessUrl; @Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class); http .csrf().ignoringAntMatchers("/v1.0/**", "/logout") .and() .authorizeRequests() .antMatchers("/oauth/authorize").authenticated() //Anyone can access the urls .antMatchers("/signin/**").permitAll() .antMatchers("/v1.0/**").permitAll() .antMatchers("/auth/**").permitAll() .antMatchers("/actuator/health").permitAll() .antMatchers("/actuator/**").hasAuthority("R_0") .antMatchers("/login").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .failureUrl("/login?error=true") .usernameParameter("username") .passwordParameter("password") .permitAll() .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl(logoutSuccessUrl) .permitAll(); // @formatter:on } /** * Configures the authentication manager bean which processes authentication requests. */ @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder()); } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } }现在我已经成功了使用具有 R_0 权限的合适用户登录我的应用程序,但是当我尝试访问时,例如
Right now I'm successfully able to login in my application with a right user that has R_0 authorities but when I trying to access for example
localhost:8080/api/actuator/beans我收到以下错误:
There was an unexpected error (type=Forbidden, status=403). Access is denied. User must have one of the these roles: R_0如何正确配置Spring Boot Actuator以便了解正确的身份验证?
How to correctly configure Spring Boot Actuator in order to be aware about the correct Authentication ?
现在为了让它工作,我必须做以下诀窍:
Right now in order to get it workin I have to do the following trick:
management.security.enabled=false .antMatchers("/actuator/health").permitAll() .antMatchers("/actuator/**").hasAuthority("R_0")是否有机会以正确的方式配置执行器?
Is any chance to configure Actuator in a right way ?
更新
我正在使用 UserDetailsService.UserDetails.Authorities
public Collection<? extends GrantedAuthority> getAuthorities() { String[] authorities = permissions.stream().map(p -> { return p.getName(); }).toArray(String[]::new); return AuthorityUtils.createAuthorityList(authorities); }推荐答案
你必须使用前缀<您的 management.security.roles 的code> ROLE _ 例如 management.security.roles = ROLE_SOMENAME 为了解决这个问题
You have to use prefix ROLE_ for your management.security.roles for example management.security.roles=ROLE_SOMENAME in order to solve this issue
更多推荐
Spring Boot Actuator Endpoints安全性不适用于自定义Spring Security配置
发布评论